In a complaint filed with the Federal Trade Commission (FTC) on Tuesday, US digital rights group, Electronic Frontier Foundation (EFF), said Google's use of the data – collected through its Google for Education program – breached Section 5 of the Federal Communications Act.
The EFF has now asked the FTC to investigate the matter, saying the technology giant had gone against its word to respect student privacy.
“Despite publicly promising not to, Google mines students’ browsing data and other information, and uses it for the company’s own purposes," the EFF said in a statement.
However, Google Education provided a rebuttal to the claims, denying it had compromised students’ digital privacy in a statement on its website.
Jonathan Rochelle, director of Google Apps for Education, said students’ personal Core Services data was only used to provide the services themselves, so students could do things like communicate using email and collaborate on assignments using Google Docs.
“There are no ads in these Core Services, and student data in these services is not used for advertising purposes,” Rochelle wrote.
The EFF said Google's practices "fly in the face of commitments made when it signed the Student Privacy Pledge," referring to a document signed by 200 companies including Google, Microsoft and Apple.
In light of the pledge, the EFF said Google's collection of student data amounted to an unfair or deceptive business practice. It now wants the FTC to investigate, force Google to destroy the student data it has collected, and bar it from collecting any more.
While Google does not use student data for targeted advertising within a subset of Google sites, EFF found that Google’s “Sync” feature for the Chrome browser is enabled by default on nearly 10 million Chromebooks that have been sold to schools.
This allows Google to track, store on its servers, and data-mine for non-advertising purposes, records of every Internet site students visit, every search term they use, the results they click on, videos they look for and watch on YouTube, and even their saved passwords.
Rochelle countered this claim by stating that personally-identifiable Chrome Sync data was only used to power features in Chrome for that person.
“In addition, our systems compile data aggregated from millions of users of Chrome Sync and, after completely removing information about individual users, we use this data to holistically improve the services we provide,” he wrote.
Mark MacCarthy, senior vice president of public policy at Software and Information Industry Association (SIIA), said there had been a misunderstanding over the pledge, which he said only applied to applications, services, or web sites “designed and marketed for use in United States elementary and secondary educational institutions.”
Electronic Frontiers Australia executive officer, Jon Lawrence, told The Educator that while he was unable to comment on the specific complaint by EFF, it was “critically important” that Australian education authorities were proactive about ensuring “the highest levels of privacy protection for students”.
“I think the best way to achieve accountability and improvements in relation to privacy protections on the part of large commercial providers is for their customers to demand them,” he said.
“This has already happened to a significant extent, particularly since Edward Snowden's revelations about the extent of US internet surveillance, and there are now clear commercial incentives for these providers to enhance their privacy protections.”
Lawrence said there was also a role for “meaningful legislative protections”, backed by properly-resourced independent oversight.
The previous [Abbott] government's attempt to abolish the Office of the Australian Information Commissioner is a major concern,” he said.
“The government's failure to introduce mandatory data breach notification legislation, despite commitments to do so before the end of 2015, is another major concern.”